Re: [WEB SECURITY] HTTP cache poisoning via Host header injection

[Amit Klein <aksecurity@xxxxxxxxx>]

Michael S. Menefee wrote:
> I then used webscarab intercept to call the following:
>
> http://server2
>
> (server2 has an empty directory)
>
> I changed the host header to "Host: server1"
>
> I received the following content:
>
> Blah
>
>
> So you can use this method in shared hosting environments by taking
> advantage of the host header variable
>   

Technically, this should work. But what is the attack here? if we rule 
out intermediate proxy/cache servers (which we discussed earlier), this 
leaves us with the browser itself as a victim. But in order for the 
browser to send a Host header which does not conform to the URL the 
browser "has in mind", we need to use attack techniques such as XHR+XSS 
(http://www.securityfocus.com/archive/107/308433, see the first example 
- changing the Host header in virtual hosting scenario) or Flash header 
addition (http://www.securityfocus.com/archive/1/441014).

But if you manage to have traffic arriving at the "evil host" (virtual 
host co-hosted with the "good host" on the same IP address), you no 
longer interact with the original application - you can conveniently 
respond with any page you like...

-Amit



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA